Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

efficient search to retrieve information about user sessions with errors

juniormint
Communicator
‎08-19-2014 07:46 AM

index=devdata session=* "ERROR"| eval errorSession=session | join type=outer session [search index=devdata session=errorSession | dedup session sortby _time | eval startTime = _time ] | table _time, session, startTime, _raw

In what sessions do ERRORs occur? When did the error sessions start?

I'm hitting some problems and would like some advice on how to write an efficient search to answer these questions.
1) The above session=errorSession does not appear to work.
2) join seems pretty slow

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-19-2014 08:23 AM

Try this

index=devdata [search index=devdata "ERROR" | dedup session | table session] 
| stats earliest(_time) as startTime by session 
| append [search index=devdata session=* "ERROR" | table _time, session, _raw]
| stats first(startTime) as startTime first(_time) as _time first(_raw) as _raw by session

This should give you startTime of the session, _time and _raw from the Error session.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-19-2014 08:23 AM

Try this

index=devdata [search index=devdata "ERROR" | dedup session | table session] 
| stats earliest(_time) as startTime by session 
| append [search index=devdata session=* "ERROR" | table _time, session, _raw]
| stats first(startTime) as startTime first(_time) as _time first(_raw) as _raw by session

This should give you startTime of the session, _time and _raw from the Error session.

Reply
Solved! Jump to solution

aweitzman
Motivator
‎08-19-2014 08:16 AM

This search will give you all of the session IDs with errors:

index=devdata "ERROR" | dedup session | table session

Use this as a subsearch to get all events for each such session:

index=devdata [search index=devdata "ERROR" | dedup session | table session]

Now tweak it to get the just first event of each such session, and make that your output:

index=devdata [search index=devdata "ERROR" | dedup session | table session] | dedup session sortby +_time | table _time, session, _raw

Reply
Solved! Jump to solution

juniormint
Communicator
‎08-19-2014 01:27 PM

Pretty good answer...capturing the error message rather than first message seen more aligned with my use case.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...